Perform threat enrichment on observables

  • Release version: Xanadu
  • Updated August 1, 2024
  • 1 minute to read

    • You can perform threat intelligence enrichment on one or more observables to determine whether they’re associated with known security threats. The implementations that run depend on the ones you’ve activated.

    Before you begin

    Before you can perform enrichment, you must activate the Threat Intelligence plugin. You must also install the plugin for one or more of the enrichment implementations:

    Role required: sn_ti.admin

    Procedure

    1. Navigate to All > Threat Intelligence > IoC Repository > Observables.
    2. Do one of the following steps:
      • To perform a lookup on more than one observable, select the observables, click Actions on selected rows, and select Run threat lookup.
      • To perform a lookup on a single observable, open the observable record, and click the Run threat lookup related link.
      Run Threat Lookup slushbucket
    3. Select the threat lookup implementations you want to use, or select All to perform lookups using all of the active implementations, then click Submit.
      A message indicates that the threat lookups have begun. The Security Operations Integration - Threat Lookup workflow runs and also executes the implementation workflows for the threat lookup implementations you selected. The lookups are performed and the results are generated.
    4. When the lookups are completed, you can click the Threat Lookup Results tab to view the results.
      Threat Lookup Results
    5. To see additional details, including raw results for a specific lookup, click the Result value.
      Note:
      When the VirusTotal or OPSWAT Metadefender implementations are used, the details are consolidated, as shown below.
      Threat Lookup Results details